From e6905a24c1a7540f25a35be40c64e201e98d4dcd Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 12 Mar 2026 16:56:39 +0000 Subject: [PATCH] Add content from: Research Update Enhanced src/generic-methodologies-and-resou... --- .../pentesting-network/ids-evasion.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md b/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md index 0ee5e68bbe5..80790337860 100644 --- a/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md +++ b/src/generic-methodologies-and-resources/pentesting-network/ids-evasion.md @@ -41,12 +41,22 @@ Or maybe, 2 packets with the same offset comes and the host has to decide which - **First** (Windows): First value that comes, value that stays. - **Last** (cisco): Last value that comes, value that stays. +Recent research shows that **overlap handling still differs across OS/NIDS implementations**, and that **overlap-based evasion/insertion remains practical** when the IDS policy doesn't exactly match the monitored host. This applies to both IP fragmentation and TCP segmentation overlaps, so testing with target-specific overlap policies is still relevant in modern environments. + +## **IPv6 Atomic Fragments** + +IPv6 allows packets to include a **Fragment Header** even when they are not actually fragmented ("atomic fragments"). These packets are processed differently by some stacks and middleboxes. Testing IDS/IPS behavior with atomic fragments can reveal **fragment-header handling gaps** and reassembly inconsistencies. + ## Tools - [https://github.com/vecna/sniffjoke](https://github.com/vecna/sniffjoke) +## References + +- [https://arxiv.org/abs/2504.21618](https://arxiv.org/abs/2504.21618) +- [https://datatracker.ietf.org/doc/html/rfc6946](https://datatracker.ietf.org/doc/html/rfc6946) -{{#include ../../banners/hacktricks-training.md}} +{{#include ../../banners/hacktricks-training.md}}